Home / server / Questions / 1009880
In Process
Coruscate5
Asked: 2020-03-29 13:24:36 +0800 CST

Record SSH commands sent to a Mac from Windows

  • 772

I've got a bit of a puzzler - I am an administrator on both a Windows 10 and a Mac Catalina machine.

The Windows machine is currently running software that has a known bug - SSH commands are sent to a Mac by a large piece of .NET Software that is difficult to RE (due more to its size than complexity) over SSH. The 2 PCs are on the same network.

The SSH commands fail, but I don't know what they are. I would like to record these actions, or at least view them in some way, so I can change the behavior of the receiving end (Mac) to take the correct action (bug workaround).

Here is what I've tried to view the SSH commands:

  • Run Wireshark (on both sides), try to decode the Diffie-Hellman exchange via SSH keys (I don't know how this works exactly, so I'm fumbling my way through - e.g. I don't know how to use RSA keys to decode the conversation)
  • Try Strace - doesn't exist on Mac machines. Alternative option dtruss may work but I don't know the commands and have to bypass SIP.
  • Try to log SSH commands by using .bashrc auto-logging - this has now been replaced by .zprofile and .zshrc - this doesn't appear to work, and no history is left in z_history or bash_history. It works when I run interactive Terminal commands though. This may be due to commands being chained to the initial SSH command, e.g. ssh user@host SOMECOMMAND.
  • Run ProcMon, see if the commands are in some secret config file. Can't seem to find it.
  • Decompile using Reflector and dnSpy - I find some logic on how to transmit SSH commands, but no hard-coded actual commands.

What am I missing? Is there some obvious way to do this that I've overlooked?

I am relatively versed in making things work, so if I have an idea of the best path forward, then I'll focus my attention there. There just seem to be too many options in a large space to know how to proceed..

I've read there are maybe ways to do this via the sshd_config on the SSH host (Mac), but I have no idea which settings would actually work, and apparently Mac does things in a special way.

[Please feel free to move the appropriate StackExchange site, not sure which is best for this]

windows mac-osx process wireshark strace

2 Answers

  1. This looks like a typical case for auditing. I've no experience configuring it on Mac OS, therefore the references to some documentation and examples:

    https://opensource.apple.com/source/OpenBSM/OpenBSM-21/openbsm/man/

    https://krypted.com/mac-os-x/quick-dirty-openbsm-auditing-macos/

    It looks like a type of auditd is also available:

    https://opensource.apple.com/source/system_cmds/system_cmds-336.10/auditd.tproj/auditd.8.auto.html

    Enabling auditing, and parsing logs should work and contain all commands that had been executed on the destination system.

    E.g knowing the ssh user you can start with audit_user and configure ex syscalls to be logged for this specific user. In case the user is changed during the session it might not capture all, but at least up to the user switch command.

    /etc/security/audit_user yoursshuser:ad,ex:no

    For a quick start try something like auditreduce -u <userid> -c ex /dev/auditpipe | praudit

    This should provide live logs from the users exec syscalls.

    Suggest to forget any approaches through shell histories and the like, as you don't know if a shell is used. E.g. a script is copied over and shell is just switched. Interesting are ex syscalls, these contain all executions, no matter how these are triggered.

    EDIT FOR MAC: Specifically for Mac (with System Integrity Protection [SIP] on, e.g. Catalina/El Capitan/etc), OpenBSM will not record bash commands that don't result in actual execution of a program.

    If you would like to record incorrect commands (e.g. ASDFASDFASDF), then the best option appears to be using dtruss - dtrace may also work, but the difficulty in getting it to work properly appears to be higher.

    First, disable SIP, then run the following to record all system calls for bash processes: 

    sudo dtruss -n bash

    Incorrect commands will be "searched for" in various environment locations, in the stat64 calls. E.g. stat64("/usr/bin/ASDFASDFASDF",...)

    • 1

  2. If you have access to the shell where the commands are executed you could try to redirect the file descriptors in the shell's profile to a logfile. Or turn on history. Or use sysdig.

    • 0